Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maintenance: Remove transitional flags to complete upgrade to Rails 5.2 #2676

Merged
merged 6 commits into from
Oct 22, 2019

Conversation

kevinrobinson
Copy link
Contributor

This removes flags that were added as part of the upgrade process to Rails 5.2, in preparation for upgrading to 6.0 next.

It's possible that per_form_csrf_tokens interacts with some JS in a way that wasn't revealed in integration tests, so I'll test this manually on the demo site first.

@kevinrobinson
Copy link
Contributor Author

FWIW, I don't think this per-form CSRF flag actually provides additional protection as far as I can tell. The UJS adapter also seems to blow away any per-form tokens and set them all to the global token (eg, https://github.com/rails/rails/blob/b2eb1d1c55a59fee1e6c4cba7030d8ceb524267c/actionview/app/assets/javascripts/rails-ujs/utils/csrf.coffee#L25). The global token seems like it is always also valid based on their test cases (eg, test_accepts_global_csrf_token in https://github.com/rails/rails/blob/99d12b950756c7d2a4afff538bcf04b40eda82bf/actionpack/test/controller/request_forgery_protection_test.rb#L910). Other issues confirm this (see github/rails/rails/32930, closed without a fix).

@kevinrobinson
Copy link
Contributor Author

selfie

@kevinrobinson kevinrobinson merged commit d43e1b9 into master Oct 22, 2019
@kevinrobinson kevinrobinson deleted the cleanup/deprecated-token branch October 22, 2019 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant